Hi,
I came across an
interesting problem while trying to implement a particular security use case.
The use case is pretty simple - I need to secure the after-invocation of a
method, but not its invocation.
Since there is no
way to tell the MethodSecurityInterceptor to intercept just the
after-invocation, I sought the help of the prefixes. Something like
:
<property
name="objectDefinitionSource">
<value>
LoanService.getAllLoans=OBJECT_AFTER_BM <!-- Secure just after-inv -->
</value>
</property>
<value>
LoanService.getAllLoans=OBJECT_AFTER_BM <!-- Secure just after-inv -->
</value>
</property>
, and configured
just Role Voter and AfterInvocationProvider.
This looks fine in
first sight - for the "getAllLoans" method the prefix would
match that of AfterInvocationProvider but not that of the Role
Voter.
The problem is that
I have set "allowIfAllAbstain" to false. Consequently, when the method
call gets intercepted (before invocation) the Role Voter would return ABSTAIN
and because of the flag not being set, Acegi would deny access to the
user.
I am not so
enthusiastic about setting the flag to true. Could anybody suggest some other
possible alternatives? My last option is to have a custom
MethodSecurityInterceptor that enables separation of before-invocation and
after-invocation interception.
Thanks &
Rgds,
Vikas
"Quidquid
latine dictum sit, altum sonatur"
Whatever is said in
Latin, sounds profound
